diff options
Diffstat (limited to 'shells/scponly/files')
| -rw-r--r-- | shells/scponly/files/patch-SECURITY | 32 | ||||
| -rw-r--r-- | shells/scponly/files/patch-helper.c | 91 | ||||
| -rw-r--r-- | shells/scponly/files/patch-scponly.c | 38 |
3 files changed, 0 insertions, 161 deletions
diff --git a/shells/scponly/files/patch-SECURITY b/shells/scponly/files/patch-SECURITY deleted file mode 100644 index 89da8df8e0ce..000000000000 --- a/shells/scponly/files/patch-SECURITY +++ /dev/null @@ -1,32 +0,0 @@ ---- SECURITY.orig 2010-12-10 15:03:24.950162769 -0800 -+++ SECURITY 2010-12-10 15:03:31.669374009 -0800 -@@ -28,6 +28,10 @@ - - svn, svnserve, rsync, and unison - -+ Note specifically that rsync uses popt for parsing command line arguments -+ and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus, -+ users can likely bypass argument checking for rsync. -+ - 4) Make sure that all files required for the chroot have the IMMUTABLE and - UNDELETABLE bits set. Other bits might also be prudent. See: man 1 chattr. - -@@ -39,13 +43,16 @@ - ~/.ssh, ~/.unison, ~/.subversion - - NOTE: depending on file permissions in the above, ssh, unison, and -- subversion may not work correctly. -+ subversion may not work correctly. Also note that the location of the -+ above directories is sometimes system dependent, so please check the -+ documentation specific to your system. - - 7) Make sure that every directory the users have write permissions to are - on a filesystem that is mounted NODEV, NOEXEC. Eg. Make sure that they - cannot execute files that they have permissions to upload. They should - also not need permissions to create any devices. If the user can't execute -- any files that he has access to upload, then you need not worry about the -+ any files that he has access to upload and the executable files on the -+ system are not considered harmful, then you need not worry about the - security problems referencing svn/svnserve above! - - 8) Monitor your logs! If you start to see something funny, odd, or strange in diff --git a/shells/scponly/files/patch-helper.c b/shells/scponly/files/patch-helper.c deleted file mode 100644 index a7696d0288a3..000000000000 --- a/shells/scponly/files/patch-helper.c +++ /dev/null @@ -1,91 +0,0 @@ ---- helper.c 2007/08/10 18:37:27 1.24 -+++ helper.c 2008/03/08 18:57:48 1.25 -@@ -26,6 +26,11 @@ - #endif - #endif - -+#ifdef RSYNC_COMPAT -+#define RSYNC_ARG_SERVER 0x01 -+#define RSYNC_ARG_EXECUTE 0x02 -+#endif -+ - #define MAX(x,y) ( ( x > y ) ? x : y ) - #define MIN(x,y) ( ( x < y ) ? x : y ) - -@@ -164,6 +169,13 @@ - int ch; - int ac=0; - int longopt_index = 0; -+#ifdef RSYNC_COMPAT -+ /* -+ * bitwise flag: 0x01 = server, 0x02 = -e. -+ * Thus 0x03 is allowed and 0x01 is allowed, but 0x02 is not allowed -+ */ -+ int rsync_flags = 0; -+#endif /* RSYNC_COMPAT */ - - while (cmdarg != NULL) - { -@@ -182,7 +194,7 @@ - */ - if (1 == cmdarg->getoptflag) - { -- debug(LOG_DEBUG, "Using getopt processing for cmd %s\n (%s)", cmdarg->name, logstamp()); -+ debug(LOG_DEBUG, "Using getopt processing for cmd%s\n (%s)", cmdarg->name, logstamp()); - /* - * first count the arguments in the vector - */ -@@ -207,7 +219,7 @@ - * otherwise, try a glibc-style reset of the global getopt vars - */ - optind=0; --#endif -+#endif /* HAVE_OPTRESET */ - /* - * tell getopt to only be strict if the 'opts' is well defined - */ -@@ -216,6 +228,18 @@ - - debug(LOG_DEBUG, "getopt processing returned '%c' (%s)", ch, logstamp()); - -+#ifdef RSYNC_COMPAT -+ if (exact_match(cmdarg->name, PROG_RSYNC) && (ch == 's' || ch == 'e')) { -+ if (ch == 's') -+ rsync_flags |= RSYNC_ARG_SERVER; -+ else -+ /* -e */ -+ rsync_flags |= RSYNC_ARG_EXECUTE; -+ debug(LOG_DEBUG, "rsync_flags are now set to: %0x", rsync_flags); -+ } -+ else -+#endif /* RSYNC_COMPAT */ -+ - /* if the character is found in badarg, then it's not a permitted option */ - if (cmdarg->badarg != NULL && (strchr(cmdarg->badarg, ch) != NULL)) - { -@@ -230,14 +254,23 @@ - return 1; - } - } --#elif -+#ifdef RSYNC_COMPAT -+ /* it's not safe if the execute flag was set and server was not set */ -+ if ((rsync_flags & RSYNC_ARG_EXECUTE) != 0 && (rsync_flags & RSYNC_ARG_SERVER) == 0) { -+ syslog(LOG_ERR, "option 'e' is not allowed unless '--server' is also set with cmd %s (%s)", -+ PROG_RSYNC, logstamp()); -+ return 1; -+ } -+#endif /* RSYNC_COMPAT */ -+ -+#elif /* HAVE_GETOPT */ - /* - * make sure that processing doesn't continue if we can't validate a rsync check - * and if the getopt flag is set. - */ - syslog(LOG_ERR, "a getopt() argument check could not be performed for %s, recompile scponly without support for %s or rebuild scponly with getopt", av[0], av[0]); - return 1; --#endif -+#endif /* HAVE_GETOPT */ - } - else - /* diff --git a/shells/scponly/files/patch-scponly.c b/shells/scponly/files/patch-scponly.c deleted file mode 100644 index 571d73489bb6..000000000000 --- a/shells/scponly/files/patch-scponly.c +++ /dev/null @@ -1,38 +0,0 @@ ---- scponly.c 2008/01/15 06:30:20 1.45 -+++ scponly.c 2008/03/08 18:57:48 1.46 -@@ -91,16 +91,18 @@ - - #ifdef RSYNC_COMPAT - struct option rsync_longopts[] = { -+ /* options we need to know about that are safe */ -+ {"server", 0, 0, (int)'s'}, - /* I use 'e' for val here because that's what's listed in cmd_arg_t->badarg */ -- {"rsh", 1, 0, (int)'e'}, -+ {"rsh", 1, 0, (int)'r'}, - /* the following are disabled because they use daemon mode */ -- {"daemon", 0, 0, (int)'e'}, -- {"rsync-path", 1, 0, (int)'e'}, -- {"address", 1, 0, (int)'e'}, -- {"port", 1, 0, (int)'e'}, -- {"sockopts", 1, 0, (int)'e'}, -- {"config", 1, 0, (int)'e'}, -- {"no-detach", 0, 0, (int)'e'}, -+ {"daemon", 0, 0, (int)'d'}, -+ {"rsync-path", 1, 0, (int)'d'}, -+ {"address", 1, 0, (int)'d'}, -+ {"port", 1, 0, (int)'d'}, -+ {"sockopts", 1, 0, (int)'d'}, -+ {"config", 1, 0, (int)'d'}, -+ {"no-detach", 0, 0, (int)'d'}, - { NULL, 0, NULL, 0 }, - }; - #endif -@@ -157,7 +159,7 @@ - { PROG_SCP, 1, 1, "SoF", "dfl:prtvBCc:i:P:q1246S:o:F:", empty_longopts }, - #endif - #ifdef RSYNC_COMPAT -- { PROG_RSYNC, 1, 0, "e", "e:", rsync_longopts }, -+ { PROG_RSYNC, 1, 0, "rde", "e::", rsync_longopts }, - #endif - #ifdef UNISON_COMPAT - { PROG_UNISON, 0, 0, "-rshcmd", NULL, empty_longopts }, |